This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Yara-l outcome problems

Posted on 01-29-2024 08:12 AM
Mireia
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi!

I want to create a rule that contemplates different clients($udm.metadata.ingestion_labels["customer"]) and in each of them generates alerts for different users($udm.target.user.email_addresses).

I have seen that in the dashboards and visualizations you can not use the fields inside metadata, I guess that information is lost after detection.

 

In my case, I want to use the field ($udm.metadata.ingestion_labels["customer"]) to apply as a filter in the dashboards. I understand that in order to do that, I have to pass that value by 'outcome' to the detection output. That's where I'm having problems.

My rule is the following one:

 

rule rule_prueba {

  meta:
    author = "mireia"
    description = "deteccion en entornos distintos"
    severity = "Low"


  events:
   $udm.metadata.ingestion_labels["customer"] = $who

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "mireia@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "perseus" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"
    )

    or

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "almike@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "prueba" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"

    )
   
  outcome:
    $risk_score = 0
    $exported_who = $who

  condition:
    $udm
}

 


As you can see it is a simple rule, it checks event by event and if it fulfills any of the two conditions it generates detection. Therefore, in each detection there will only be one customer, it is not a correlated event where the field 'customer' can have more than one value.

 

But this rule triggers the following error:

I know that currently the options to use in outcome are (array, array_distinct, max...) but none of them provide the necessary functionality to be able to transfer the desired information.

 

What do I have to do to be able to use the '$udm.metadata.ingestion_labels["customer"]' field as a filter in the dashboards? How would be the right way to make this work?

 

Thanks in advance!

Solved Solved
0 1 120
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Mireia
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I finally solved the problem by configuring the rule in this way:

 

rule rule_prueba {

  meta:
    author = "mireia"
    description = "deteccion en entornos distintos"
    severity = "Low"


  events:
   //$udm.metadata.ingestion_labels["customer"] = $who

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "mireia@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "perseus" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"
    )

    or

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "almike@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "prueba" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"

    )
   
  outcome:
    $risk_score = 0
    $who = $udm.metadata.ingestion_labels["customer"]

  condition:
    $udm
}

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
Mireia
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I finally solved the problem by configuring the rule in this way:

 

rule rule_prueba {

  meta:
    author = "mireia"
    description = "deteccion en entornos distintos"
    severity = "Low"


  events:
   //$udm.metadata.ingestion_labels["customer"] = $who

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "mireia@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "perseus" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"
    )

    or

    (
        $udm.metadata.log_type = "AZURE_AD" and
        $udm.metadata.event_type = "USER_LOGIN" and
        $udm.target.user.email_addresses = "almike@prueba.eus" and
        $udm.metadata.ingestion_labels["customer"] = "prueba" and
        $udm.additional.fields["conditionalAccessStatus"] = "success"

    )
   
  outcome:
    $risk_score = 0
    $who = $udm.metadata.ingestion_labels["customer"]

  condition:
    $udm
}

 

Jump to Solution
Top Solution Authors
View all